FW: [Dshield] odd udp port 0 traffic

Funk Jr, Joseph C. jcfunkjr at co.bucks.pa.us
Thu Mar 18 21:27:43 GMT 2004


Excuse me, here is that german link,

http://babelfish.altavista.com/babelfish/urlload?url=http%3A%2F%2Fgroups.google.com%2Fgroups%3Fq%3D216.74.145.71%26hl%3Den%26lr%3D%26ie%3DUTF-8%26edition%3Dus%26selm%3D890e7989.0210290826.3659d45b%2540posting.google.com%26rnum%3D1&lp=de_en&tt=url

-----Original Message-----
From: Funk Jr, Joseph C. 
Sent: Thursday, March 18, 2004 4:24 PM
To: 'General DShield Discussion List'
Cc: 'jimmythegeek at techemail.com'
Subject: RE: [Dshield] odd udp port 0 traffic


Check this out, this looks very interesting http://people.ists.dartmouth.edu/~gbakos/bindsweep/ 

about malformed DNS messages involving format error and a possible cause, a virus, called W32/Calypso-tr.

As far as the purpose of the traffic, according to the above link, "it could "result in a denial-of-service (DoS) attack if the server attempts to parse the packet but is unable to"".

and finally directs to this link about the above http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=526 for a description of the W32/Calypso-tr virus if this is in fact the culprit.

Sidenote, that IP was detected by a fake open relay 'honeypot' back in 2002 doing pings every 40 minutes, along with a few other IP's.  Here is the english translation of the posting (its a poor translation but you get the drift).



Joseph C Funk Jr




More information about the list mailing list